On 25/07/11 13:03, Shaun Kluzek wrote:
Hi, my name is Shaun Kluzek. I have been using linux now for about a decade and have spent the last two years using arch linux and previously using gentoo. I studied computer science in Melbourne Australia at RMIT University and program well in C. After reading "The real story behind Arch Linux package signing" by Dan Mcgee, I headed over to Alan McRae's TODO list for package signing, and spotted the pacman signature verification, acting upon this I built the gpgme documentation from the texi files and have spent the last two days reading and understanding it( gnu don't make this very easy ). As a result, I have successfully written a small C program that verifies a detached ascii armored signature with its accompanying file against users in your keyring. The code at this stage is test code and very messy, however, it loads in a detached sig say signed.asc, then loads in the signed file somefile and then verifies it, giving the validation back in a bit vector. The code needs to be rewritten and split into some nice funtions. I have obtained the pacman source code from git and had a brief look through it just prior to writing the libgpgme stuff. Once tidied up ( into funtions and descriptive error output ) I dont think it would be much problem adding it into pacman. How should I proceed ?
My suggestion would be to take a better look at what is currently in the pacman source code from git and have a read of the mailing list archives to get an idea of what is currently already done. There has been substantial progress on implementing this that you appear to have overlooked.
Allan
